Skip to content
Permalink
Browse files
OAK-9795 : Best practices: explicitly discourage ac setup for anonymous
  • Loading branch information
anchela committed Jun 7, 2022
1 parent 71d94d6 commit 588b36037f14e48d3cc2e928a571746452bacf03
Showing 1 changed file with 7 additions and 0 deletions.
@@ -201,6 +201,13 @@ your `PrincipalProvider` resolves principal membership according to your needs.
Further, note that the default authorization model will give precedence to user principals upon evaluation in other words
default access control entries for user principals will overwrite the effect of groups irrespective of the order in the list (see next section).

The above rule is particularly important for the anonymous user marking access with `GuestCredentials`.
If you setup access control for anonymous it will result in the guest account to have effective permissions that do
not apply for any authenticated session.

What is usually intended instead is setting up permissions for the _everyone_ group. See also
[PrincipalManager.getEveryone()](/oak/docs/apidocs/org/apache/jackrabbit/api/security/principal/PrincipalManager.html#getEveryone)

### Understand default access control and permission management

#### Remember inheritance

0 comments on commit 588b360

Please sign in to comment.